We all know this because the memo was leaked to the Wall Street Journal, which prompted tons of media—including eWEEK, of course—to cover the story. The culprit seemed to be a tracer testing utility that Fujitsu provided to some customers, which apparently at least one customer continued to use in a live environment, which is a major security no-no. That parts old news. But what has gone on in the days since the memo leaked is sadly reminiscent of the old public security conundrum: the need to alert customers to a major security problem in as public and fast a way as possible, knowing that satanic evildoers—which could accurately describe criminal hackers intending to steal credit card information or my in-laws, but thats another column—will immediately try to take advantage of the security hole.
Most of the smarter bad guys know that they have an XX-hour (and often an XX-day) window after a major security hole is announced before most systems administrators will install the patch or make appropriate adjustments.
That forces companies like Visa—and, for that matter, almost every major software vendor—to play their game of risk/reward ratios: Will announcing this hole likely cause more harm or good?
As a compromise, many vendors have experimented with an in-between approach, whereby they reveal the information to a select group of partners/customers, the ones that will impact the most people and the ones that presumably have a good track record of keeping such information secret.
That seems to be what Visa has been trying to do. The problem: What to do when the secret memo becomes decidedly no longer secret. Should Visa throw up its mag-stripe hands and say, "Oh well. This stuff happens. Well now announce it to the world" or should it stick to its original script, hoping that no one notices what hundreds of newspapers, magazines and countless Web sites are reporting?
Visa has apparently opted for that latter scenario.
But wait, this gets better. In this memo, Visa talks about security problems and then mentions two specific Fujitsu products: RAFT and GlobalStore, according to the Journals March 17 story. (eWEEK has spoken with people on both the Visa and Fujitsu side, but has not reviewed the still humorously secret document.)
Fujitsu then steps to the podium and tells every reporter it can find that the memo was flawed, sort of. Ed Soladay, the COO for Fujitsu Transaction Solutions, said the Visa alert was "somewhat misleading" and "not fully correct."
In recent days, Fujitsu people have been more explicit in saying that the memo was "wrong," but thats not very meaningful unless they will say what specifically is wrong, which they wont.
Both Fujitsu and Visa people have said the two sides have been talking for weeks, and a Fujitsu person said Wednesday afternoon that nothing had been resolved. Fujitsu is hoping that Visa will issue a clarification statement.
Its almost impossible to comment on that without resorting to sarcasm, but lets just say that I expect to see that statement moments after the U.S. Senate bans all lobbyist campaign contributions.
Where does this all leave retail IT execs, whose business depends on the security of their POS applications? Visa has definitely forced them to be where they do not want to be.
Do they believe the relatively vague Visa advisory? Remember that the vast majority of them have never, ever seen the advisory, so they are forced to deal with vague partial reports of memos, which were apparently not overly specific in the first place.